How to Use the nmap Command in Linux

One of the commands that have become essential for many sysadmin and Linux professionals is the nmap command. That is why the more information we have about this command the better. That is why we have prepared this post with the intention that you learn how to use the nmap command in Linux.

Introducing to Nmap

According to the tool’s website, we find the following definition:

Nmap (“Network Mapper”) is a free and open-source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.

This tool is widely used throughout the Linux world but also has versions for macOS, Windows, and other Unix systems.

Nmap supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. Also, Nmap has been used to scan huge networks of literally hundreds of thousands of machines.

Installing the tool

In general, this tool is not present by default in the installations of the main Linux distributions. But, the package is available in the official repositories of almost all of them so the installation is quite easy.

In the case of Debian, Ubuntu, and derivatives, you can install it with the following command:

sudo apt install nmap

But if you use Fedora, CentOS 8, Rhel 8, and derivatives:

sudo dnf install nmap

But on distributions like Arch Linux, Manjaro, and derivatives:

sudo pacman -S nmap

Finally, for OpenSUSE:

sudo zypper in nmap

As it is quite light, the installation will be very fast.

How to use the nmap command

The most basic way the command works is to use it to scan a host defined by IP address or domain.

For example:

nmap [ip-adress]
nmap [domain]

You will get an output similar to this:

Starting Nmap 7.70 ( https://nmap.org ) at 2021-03-26 13:59 -04
Nmap scan report for example.com (x.x.x.x)
Host is up (0.17s latency).
Other addresses for example.com (not scanned): x.x.x.x
Not shown: 996 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
8080/tcp open  http-proxy
8443/tcp open  https-alt

Nmap done: 1 IP address (1 host up) scanned in 16.05 seconds

In this output screen, you will be able to know the latency, available ports, and services that make use of it. If you add the -v option you can have more detailed output.

nmap -v [ip-adress-or-domain]

However, you can scan multiple hosts by separating them by a blank space.

nmap 192.168.1.1 192.168.1.1.10 192.168.1.22

On the other hand, you can also scan an entire range of IP addresses.

nmap 192.168.1.1-100

This way, you can check many addresses at once.

Example of nmap command usage

Perform a quick scan of an IP address.

It is possible to perform a quick scan when required, you have to use the -F option

nmap -F 192.168.1.34

Detect the active hosts within a network.

This option is quite useful to find out when a machine is being used, just include the -sn options

nmap -sn 192.168.0.0/24

Know the host’s operating system

To do this, you have to add the -O option although on some operating systems it will not succeed due to lack of permissions. To use it, you will have to be a root user or use sudo.

sudo nmap -O 192.168.1.22

Verify if the Firewall is working.

To check the status of the Firewall you can use the -sA option with root or sudo permissions.

sudo nmap -sA 192.168.1.32

Working with ports

One of the most interesting options offered by nmap is that you can scan a specific port. For this example, I will choose port 80 which is one of the most commonly used ports.

nmap -p 80 192.168.1.11

Or scan several ports simultaneously:

nmap -p 80,443 192.168.1.11

This way you will scan ports 80 and 443 but they can be as many as you want but separated by commas.

Also, you can scan a range of ports by using the - sign

nmap -p 80-90 192.168.1.5

This is a simple way to check if a given service is using a given port.

TCP ports

In case you want to scan all TCP ports you can do it with the following command

nmap -sT 192.168.2.124

In this way, you will be scanning all the ports that make use of the TCP protocol on a given host.

Also, you can specify a port of this protocol:

nmap -p T:80 192.168.2.124

In this case, I am checking port 80, but it can be any port you want.

UDP Ports

We also have the option to scan UDP ports, for this the option to use is the sU option.

nmap -sU 192.168.2.124

In the same way, you can scan a port of the UDP protocol in a similar way to TCP.

nmap -p U:81 192.168.2.124

Conclusion

The nmap tool is a basic utility for many people working on Linux, especially in networking. Although it is also used by programmers to know if any application is using a specific port but this goes beyond this and it is possible to find more information about the host or even about the network. Especially when the network to be analyzed is an internal network.

Finally, using the nmap command is not complex but the many options can overwhelm some users. For this, we recommend reading the official documentation.

Share This: